• Organizations need to understand that the chance of being audited is real, and can be costly in time and unexpected costs if there is no effective asset management in the organization.
• Several surveys and Gartner inquiries indicate that Adobe, IBM, Microsoft and Oracle are the vendors most actively conducting compliance-checking activities, but many other vendors are also increasing audits.

• Software audits are increasing. Gartner surveys of clients indicate that more than 50% have been audited by at least one software vendor in the past 12 months, up from 30% to 35% based on surveys from previous years.
• Having good asset management can reduce the time and pain of a software vendor audit. In some cases, Gartner has heard of vendors agreeing not to audit after customers proved that they were tracking licenses effectively.

• Audits are increasingly likely. If you don't already have asset management processes, procedures, tools and funding available, then now is the time to start.
• Proactively look at licensing and compliance as an ongoing discipline, rather than leaving it as an audit-driven project when it may already be too little, too late.

Software-vendor-initiated audits are increasing. It is much easier to go through an audit if you have good asset management policies, processes and tools in place before the audit is conducted. Being out of compliance can be costly for an organization — with possible fines and penalties, negative publicity, and higher prices for software than could be negotiated if not in response to an audit finding.

Gartner polls and surveys conducted in the past six months have shown a significant upward trend in software vendor audits. This has been validated by an increased number of inquiries on the topic of audits in general and related to specific vendors. During the past six months, we have been surveying a number of our clients through inquiries, webinars and post-conference surveys, asking how many of them had been approached by a software vendor to do a software audit in the past 12 months. In a series of Gartner webinars on software licensing and cost optimization between February and June 2009, attended by Gartner clients and prospects from around the globe, 728 attendees were asked this question. The results showed that 56% had been asked to do at least one audit in the past 12 months.

In addition to the webinar polls, we also conducted a survey at a Gartner licensing briefing from May through July 2009 in several cities in Europe, the Middle East and Africa, asking the same question. Of the 230 respondents, 63% said they had been asked to do at least one audit in the past year (see Note 1).

In May 2009, we surveyed IT asset managers and procurement professionals asking a number of questions, one of which was the same question on software audits. Of the 65 respondents, 54% suggested that they had been audited by at least one software vendor in the past year.

These numbers are significantly higher than we have seen in surveys we have conducted in prior years. In previous surveys, when we asked IT asset management or IT procurement professionals the same question, typically we would see that 31% to 37% of the respondents had an audit in the past 12 months (see Note 2).

In the latter two surveys, we asked a subsequent question to establish which vendors were doing the most audits. Across both surveys, the vendors consistently conducting the most compliance-checking activities were Adobe, Oracle, Microsoft and IBM. These results are also consistent with Gartner inquiries on this topic.

Less frequent but still in evidence were audits from Attachmate, BMC Software, Borland, CA, Compuware, Emptoris, HP, Infor, Informatica, McAfee, Micro Focus (Borland), Novell, QAD, Quest Software, SAP, Software AG, Symantec and Tibco Software. Other vendors were also listed as auditing, but in fewer numbers. Even if a vendor is not listed here, there may still be significant cost involved if a software vendor decides to audit, so don't assume that these are the only vendors you need to be focusing on (see Note 3).

In some cases, audits are entirely legitimate, because clients have simply lost control of license compliance and have installed more copies than they are using. However, we are also seeing evidence of increased audits as vendors attempt to make up for revenue shortfalls that they may be experiencing due to a decline in the transaction volumes and deal sizes as a result of the economic downturn. In other cases, we have seen anecdotal evidence of audits after vendors failed to close large enterprise deals with customers.

Software vendor audits can have significant financial effects and involve substantial amounts of time (see Note 4). Although there may be established policies against unauthorized software, the audited entity may still be out of compliance without realizing it. This could be because they haven't understood the subtleties of the license grant or related vendor policies that haven't been documented, or because the controls on installation are not as robust as they imagined.

On-site audits aren't pleasant. Normal work is disrupted as deployment inventories are conducted, and purchasing records, license agreements and other documentation are researched, verified and reconciled. Because many contracts are vague regarding their usage rights, and are subject to various interpretations, there can be significant management time involved in discussing issues related to these rights. In a best-case scenario, the company is within compliance, and only personnel time is involved. Worst case, the audit will prove that the company is out of compliance and must pay the incremental license fees at a point when negotiation leverage is at its lowest. When an audit is conducted by a professional body or trade association looking for publicity, it can be difficult to persuade it not to publish the results.

To prepare for a software audit:

• Develop an audit response team, and establish procedures to handle current and future audit requests.
• Include someone from finance on the team who has experience with financial audit procedures and techniques.
• Recognize that, although most audits result from legitimate vendor concerns about license compliance, we have seen incidents in which audits have been threatened following failed negotiations or periods of decreased spending, or when market challenges mean the vendor is under extreme pressure to increase revenue.

If an on-site audit is required:

• Immediately contact legal, senior management and the audit response team to discuss issues and ensure that they are "up to speed" on the proceedings.
• Have your legal department and asset manager review all contracts and documentation from the vendor.
• Establish a single, central point of contact (preferably someone with internal audit experience) for all audit discussions with the software vendor.
• If not already known, find out what information the vendor will collect and how it will be used to help you improve your own software asset management.
• Consider a proactive licensing cleanup before an audit begins. For example, if you have usage tools and can see that software isn't being used by one person, then you could remove and redeploy where necessary.

Clients need a reasonable amount of time (we recommend at least 90 days) to review the audit results. During the report evaluation period, companies should negotiate the right to correct any problems that do not reflect real usage during the audit analysis period — for example, software may be installed on servers in a storeroom and no longer be in service, or software that is not being used may have been downloaded in error. Because most software is measured based on whether it is installed, regardless of usage, discovering this lack of usage, and using this time to deinstall the software, would achieve the goal of compliance, without incurring additional license costs. Customers without software asset management may not be able to demonstrate that they have eliminated this legacy software, so a further audit may be required at their expense.

Some of these disputes can be avoided by using an independent third-party tool to measure usage; however, ensure that the tool is tailored to the specific vendor's license grant definition. Many usage tools have generic definitions of common license metrics, such as named user, concurrent user and CPU, and do not take into consideration the nuances of specific vendors' restrictions or policies — for example, on CPU cores or virtualization. Some of these cannot be resolved with the vendor. Whether this will be resolved through a certified third party, arbitration, mediation or the courts should be discussed with your legal department. Ensure that the contract provides uninterrupted use of the products until the dispute is settled.

In a limited number of deals, we have seen vendors contractually agree that its customers may be up to 5% out of compliance in a single year. However, this is not standard, and fees are generally due on any noncompliant installation. Many vendors will want the fees to be calculated based on then-current list prices. We have seen some companies successfully negotiate to pay based on the established discounted prices, but only if they are less than 10% out of compliance and the fees are paid within 30 days. It's difficult to extend these clauses beyond the 10% range, because vendors would fear there would be little incentive for customers to remain compliant.

If an audit shows the customer has too many of one category and too few of another, then organizations should negotiate a clause that enables them to swap one type of license (such as named users for human resources usage) for another (for example, CPU for databases), as long as it does not exceed the net value of the overall contract.

Develop a license compliance/audit policy that communicates to your employees how their actions can affect compliance — for example, using software on a noncorporate-owned home device, if the software was only licensed to run on corporate devices. Where appropriate, detail the penalties for noncompliance. Ensure that this policy is updated to reflect new license terms you negotiate, and that it is articulated in layperson's terms.

Create and maintain accurate inventory and license entitlement data. Spend 3% to 5% of your software budget on asset management tools, personnel and processes to adequately manage your software assets and, therefore, minimize the exposure associated with software audits. This should include autodiscovery/inventory tools and, if necessary, an IT asset management repository (if not then a centralized mechanism for monitoring and managing entitlements), and asset management policies and processes that capture and maintain license entitlements. Usage tools can also be helpful to ensure that the appropriate people have access to licenses on an ongoing basis. However, because most license agreements are based on installation, rather than usage, they will be of marginal value in an actual audit, unless you're able to argue that there was no "value" to an installed, but unused, product. However, as part of a software asset management initiative, increasing numbers of clients have a harvesting policy, stating that, if software is not used in, for example, 90 days, then it can be removed and deployed elsewhere.

The best time to strengthen contract clauses related to audits is when negotiating a new software license agreement or spending additional money with a vendor. There are several items to consider:

• Are usage rights clearly defined in the software license agreement? Always consider in detail how licenses will be counted and what should be included in the count, as well as what should be excluded in the license count . Ensure that you understand your vendors' policies on license compliance, such as whether additional license fees are required for backup or disaster recovery copies, testing and training, and customer access of an application.
• What will be the notification period? Generally, at least a 60- to 90-day notification before an audit is considered a reasonable period, with the ability to delay the audit for bona fide business reasons, such as year-end processing or a merger. Although it is usually difficult to eliminate audit clauses completely (see Note 5), audits should not be allowed where there are license key protections on the software, unless the vendor has a reasonable expectation that the customer has circumvented such license keys.
• Who will perform the audit? It may be best to have the software vendor do the audit, because the vendors are more likely to want to maintain a good relationship with their customers. However, if you want a completely independent third party to perform the audit, then include that right in the contract. We recommend specifically excluding vendor-sponsored organizations (such as Business Software Alliance, Software Publishers Alliance and Federation Against Software Theft) from conducting audits, because they are paid, in part, based on license fees generated and can be motivated by publicity and press exposure.
• If there are personnel from the software vendor's company or from a third party on-site, then a strong confidentiality agreement should be place.
• How will the audit be conducted, and what will constitute proof of license by the vendor? Ideally, when negotiating for the initial licenses, but certainly prior to any audit, the vendor should be required to provide a definition of the audit process (that is, what will be measured, how it will be measured and what proofs of license should be required). If the vendor plans to use a proprietary tool to measure usage, then this should be examined to ensure that what is being measured is consistent with your license grant and usage rights, particularly if you have customized agreements.
• Who will pay for the audit? Often, the contract will state that the customer will bear the cost of the audit if the customer is out of compliance by some percentage (often 5% to 10%). We recommend requiring that the vendor bear the cost of the audit, regardless of the outcome, because this is part of their cost of doing business. Otherwise, the customer should at least contractually stipulate the maximum that it would have to pay for the audit to be conducted, if found out of compliance.
• If the vendor is using its own proprietary tool to measure compliance, then contractual terms should require it to be run first in a test environment, and to provide for consequential damages if the software causes a production environment to fail.

Due in part to the economic downturn reducing software license sales, software audits are occurring more frequently. Therefore, enterprises need to actively manage compliance to minimize the exposure associated with audits. Spend 3% to 5% of your software budget on asset management tools, personnel and processes to adequately manage your software assets.